[Linux] X509 chains with user principal name (UPN) name constraints fail to build

[skeiffer]

Description

X509Chain.Build() throws a CryptographicException when building a chain that contains a user principal name (UPN) name constraint. This prevents the caller from getting any information about the validity of the chain.

This problem is due to openSSL not supporting UPN based name constraints and MapVerifyErrorToChainStatus not mapping the status code that openSSL provides for this error (51).

This only seems affect systems that rely on OpenSSL.

• Windows supports UPN name constraints correctly.
• MacOS does not support UPN name constraints but skips the check.

Reproduction Steps

Add the following unit test to ./src/libraries/System.Security.Cryptography/tests/X509Certificates/DynamicChainTests.cs

[Fact]
[SkipOnPlatform(TestPlatforms.Windows, "Windows supports UPN name constraints.")]
[SkipOnPlatform(PlatformSupport.AppleCrypto, "macOS ignores UPN name constraints.")]
public static void UnknownNameConstraintViolation_UserPrincipalName()
{
    SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
    builder.AddUserPrincipalName("johndoe@microsoft.com");

    // exlude UPN name constraint for @microsoft.com
    string nameConstraints = "3024A1223020A01E060A2B060104018237140203A0100C0E406D6963726F736F66742E636F6D";

    TestNameConstrainedChain(nameConstraints, builder, (bool result, X509Chain chain) => {
        Assert.False(result, "chain.Build");
        Assert.Equal(PlatformNameConstraints(X509ChainStatusFlags.HasNotSupportedNameConstraint), chain.AllStatusFlags());
    });
}

Expected behavior

X509Chain.Build() does not throw an exception but adds a chain status flag to the chain. (ex: X509ChainStatusFlags.HasNotSupportedNameConstraint or similar)

Actual behavior

X509Chain.Build() throws a CryptographicException

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

X509Chain.Build() throws a CryptographicException when building a chain that contains a user principal name (UPN) name constraint. This prevents the caller from getting any information about the validity of the chain.

This problem is due to openSSL not supporting UPN based name constraints and MapVerifyErrorToChainStatus not mapping the status code that openSSL provides for this error (51).

This only seems affect systems that rely on OpenSSL.

• Windows supports UPN name constraints correctly.
• MacOS does not support UPN name constraints but skips the check.

Reproduction Steps

Add the following unit test to ./src/libraries/System.Security.Cryptography/tests/X509Certificates/DynamicChainTests.cs

[Fact]
[SkipOnPlatform(TestPlatforms.Windows, "Windows supports UPN name constraints.")]
[SkipOnPlatform(PlatformSupport.AppleCrypto, "macOS ignores UPN name constraints.")]
public static void UnknownNameConstraintViolation_UserPrincipalName()
{
    SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
    builder.AddUserPrincipalName("johndoe@microsoft.com");

    // exlude UPN name constraint for @microsoft.com
    string nameConstraints = "3024A1223020A01E060A2B060104018237140203A0100C0E406D6963726F736F66742E636F6D";

    TestNameConstrainedChain(nameConstraints, builder, (bool result, X509Chain chain) => {
        Assert.False(result, "chain.Build");
        Assert.Equal(PlatformNameConstraints(X509ChainStatusFlags.HasNotSupportedNameConstraint), chain.AllStatusFlags());
    });
}

Expected behavior

X509Chain.Build() does not throw an exception but adds a chain status flag to the chain. (ex: X509ChainStatusFlags.HasNotSupportedNameConstraint or similar)

Actual behavior

X509Chain.Build() throws a CryptographicException

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response

Author:	skeiffer
Assignees:	-
Labels:	area-System.Security
Milestone:	-

[skeiffer]

Fix looks to be as simple as adding X509VerifyStatusCodeUniversal.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE to MapVerifyErrorToChainStatus to support handling this specific status code. I can submit a PR for this if needed.

Should tests be added to validate other validity checks are being processed when this is present (ie. CRL, partial chain, invalid signature, etc)? Or should that be left to the user's application as X509Chain.Build() would return false regardless?

As an aside I have tested a few of these scenarios already (CRL, PartialChain) and things do work as expected.

[bartonjs]

Assuming that Windows handles UPN constraints, there are really two issues here:

1. We should add UPN constraint enforcement to our secondary checks layer for macOS and Linux.
2. We should make up a test with an actually unhandled constraint and see what Windows does for the rest of chain processing (doing/skipping revocation checks, aborting the chain build, etc... as well as what all codes get mapped in).

If Windows actually doesn't do the UPN constraint enforcement (and it's just an app decision) then part 1 goes away.

[jozkee]

Assuming @vcsjones is not working on this already. @skeiffer if you want to invest in fixing this feel free to do so considering @bartonjs concerns.

[vcsjones]

Yep, sorry - I might be able to look at this later but not in the short term.

[skeiffer]

Hi @jozkee. I do not have the time to perform a more through implementation that @bartonjs is asking for. If this work could be assigned it would be greatly appreciated. If internal business justification is needed for scheduling/planning, we can provide that.